Computer security is becoming an increasingly important and urgent issue. As witness to this, consider the present day concern over computer viruses which, if introduced into computer systems, have the ability to read and/or destroy unprotected data. Indeed, a number of such virus attacks have recently received nationwide attention.
Computer security is an encompassing term. It includes many aspects of protecting a computer or computer system. Security issues include system access by unauthorized users or programs and limitation of file access to limited users or groups of users. We are concerned here primarily with the control of access to files. A standard technique of protecting access to files is by means of permissions. In the commercial versions of the UNIX (Registered trademark of AT&T) operating system, for example, every file is associated with a set of READ and WRITE permission bits. In fact, there are three sets of such permission bits for each file, one set for the owner of a file, one set for members of a group associated with the file, and a final set for all other users of the system. A file owner controls the states of these permission bits. Thus, a file owner may prevent others from reading or writing a file by setting the READ, WRITE bits for group members and for all other system users to an unallowed state. Conversely, the file owner might allow all system users total access to a file by setting the READ and WRITE bits associated with all users.
The file permission technique works well in any system in which the users are sensitive to security issues and diligently administer the permission bits over which they have control. However, all system users are not always diligent. As such, the permission bit scheme represents a potential weak link in overall system security. A further disadvantage of the permission scheme is that it is necessarily limited in its flexibility. Some systems require many levels of defined security classifications for users and files alike. Military systems are good examples of such systems, in which files may range in levels from unclassified to top secret and be further partitioned in compartments to which the level may apply. Access to such files must be limited to users having appropriate security clearances and the security classifications must follow the files as they move in a system. In such label systems, both files and user processes are assigned security labels. A user process cannot read a file unless the process security label dominates that of the file. By dominate, it is meant that the security label of the process is sufficient to allow access to the file in accordance with the file security label. Similarly, a process cannot write a file unless the label of the file is at least as high as that of the process.
File access control, including the above permission and labeling methods, are discussed in CRYPTOGRAPHY AND DATA SECURITY, D. Denning, Addison-Wesley, 1982, Chapter 4, pp. 191-258. Also discussed at page 287 of the book is a method commonly referred to as dynamic security labels. In the dynamic security label method, the security labels of files and processes are raised as necessary to allow processes to access files. With such dynamic label methods, some additional form of protection must also be used to prevent ultimate unauthorized leakage of data to destinations external to the system. The dynamic security label method has advantages over fixed label types of methods. Fixed label methods tend to suffocate system users and may in severe cases render flexible and productive use of a system almost impossible. Dynamic labels provide reasonable levels of security while mitigating this suffocating tendency of fixed labels. However, the dynamic security label method has never been commonly used for two reasons. First, it is known that the technique introduces covert channels through which security breaches may occur. This, however, is not a serious problem. The new covert channels are generally limited in bandwidth to approximately one bit of information per system call. Thus, attempts to "smuggle" significant amounts of information through such a covert channel is detectable by relatively simple means. Additionally, to use such a channel, the user must already be cleared to use the data. Second, and more important, the verification of process and file security labels on every read and write operation adds a tremendous amount of overhead to routine system operations. Thus, it is desirable to find ways of reducing this overhead to acceptable levels, thereby allowing advantageous use of the dynamic security label method.